On 22/08/14 18:13, Nicolai Josuttis wrote:

> to deal with faked keys, some guys had the idea to use
> email verification and let then certification servers
> take that as "casual signing".

I take it that a 'faked key' in this context is one associated with an
unverified email address.  If I send an encrypted message to that email address,
two possible outcomes occur to me :

- the email address belongs to some other person who does not control the key
and he can't open it.  Not much problem here.  My secret remains hidden.

- the email address belongs to a person who does control the key and he may or
may not be the person named in the email address.  I am risking my secrets with
an unknown person.  I had better take care of the nature of those secrets.  It
looks like this is the case covered by your original post.

What extra security does a key server certification give in this case ?  It just
says that if you use this key with this email address, the email will be
delivered to someone who controls both the address and the key.

In any case, there is always the possibility that this 'certified' person or key
is actually controlled by someone else.  I have difficulty in seeing what
additional security is provided by a casual signature, given by a key-server or
by any other party.

Philip


Attachment: 0x23543A63.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to